Authentication and Key Agreement via Memorable Password
Taekyoung Kwon
University of California, Berkeley
[email protected] or [email protected]
Up dated on August 20, 2000
Preliminary Version 2.51 since May 1, 2000
Abstract
This pap er presents a new password authentication and key agreement proto col, AMP,
based on the ampli ed password idea. The intrinsic problems with password authentica-
tion are the password itself has lowentropy and the password le is very hard to protect.
Wepresent the ampli ed password pro of and the ampli ed password le for solving these
problems. A party commits the high entropy information and ampli es her password
with that information in the amplifed password pro of. She never shows any informa-
tion except that she knows it. Our ampli ed password pro of idea is very similar to the
zero-knowledge pro of in that sense. We adds one more idea; the ampli ed password
le for password le protection. Aserver stores the ampli ed veri ers in the ampli ed
password le that is secure against a server le compromise and a dictionary attack.
AMP mainly provides the password-veri er based authentication and the Die-Hellman
based key agreement, securely and eciently. AMP is easy to generalize in any other
cyclic groups. In spite of those plentiful prop erties, AMP is actually the most ecient
proto col among the related proto cols due to the simultaneous multiple exp onentiation
i n n+ + ++ c
metho d. Several variants such as AMP ,AMP ,AMP , AMP ,AMP , and AMP
n
are also prop osed. Among them, AMP is actually the basic proto col of this pap er that
describ es the ampli ed password pro of idea while AMP is the most complete proto col
i
that adds the ampli ed password le. AMP simply removes the ampli ed password le
from AMP.Intheend,we give a comparison to the related proto cols in terms of eciency.
This manuscript is a preliminary version of our pap er available from the IACR eprint
archive, http://eprint.iacr.org/2000/026. The proto cols describ ed in this pap er were
submitted as a contribution to the IEEE P1363 study group for future PKC standards,
Ultimate Solution to Authentication via Memorable Password[23 ]. It is available from the
website, http://grouper.ieee.org/groups/1363/StudyGroup/Passwd.html#amp.
Keywords: Authentication, key agreement, password guessing, password veri er, public-
key cryptography, discrete logarithm problem, Die-Hellman problem, ampli ed pass-
word pro of, ampli ed password le. 1
1 Intro duction
Entity authentication is one of the most imp ortant security functions. It is necessary for
verifying the identities of the communicating parties when they initiate their connection.
This function is usually provided in combination with a key establishment scheme such as
key transp ort or key agreement between the parties. For user authentication, three kinds
of approaches exist; knowledge-based authentication, token-based authentication,andbiometric
authentication. Among them, the knowledge-based scheme is for human memory ( mind).
Actually, it is the most widely-used metho d due to such advantages as simplicity,convenience,
adaptability, mobility, and less hardware requirement. It requires users only to remember
and typ e in their knowledge such as a password or PIN(p ersonal identi cation number).
Therefore, users are allowed to move conveniently without carrying hardware tokens. How-
ever, a complex problem with this password-only authentication is that a human-memorable
password has lowentropy so that it could b e vulnerable to malicious guessing attacks. The
problem b ecomes much more critical in an op en distributed environment. Moreover, pass-
word le protection is another problem that makes password authentication more unreliable.
If a password le is compromised, at least it is vulnerable to dictionary attacks. A cryp-
tographic proto col based on public-key cryptography is the most promising solution to this
problem.
1
Password Protocols. Since the rst scheme, LGSN[25 ], was intro duced in 1989, many
proto cols have followed it. Among them, EKE[7] was a great landmark of certi cate-free
proto cols. One variant of EKE, DH-EKE[7 ], intro duced the password authentication and
key agreement, and was \enhanced" to A-EKE[8 ] that was the rst veri er-based proto col to
resist a password- le compromise and to accommo date salt while there was an earlier work
describing the use of salt[38 ]. GLNS[15 ] was enhanced from LGSN. Due to the ineciency and
constraints of older schemes, various mo di cations and improvements have followed. They
include TH[37 ], AL[1 ], M-EKE[36 ], Gong[16 ], KS[21], SPEKE[18, 19 ], S3P[34 ], SRP[39 ],
HK[17 ], and GXY[22 ]. However, some of them have been broken and some are still b eing
cryptanalyzed[2 , 13 , 31 , 9 ]; most were inadequate for the security pro of due to ad-ho c meth-
o ds of protecting the password. In the mean time, OKE[26 ] intro duced a provable approach
and was followed by several great work such as SNAPI[27 ], EKE2[5], AuthA[6], and PAK[10 ].
They show the provable approach in this area is getting matured.
Among the password proto cols, A-EKE, B-SPEKE, SRP, GXY, SNAPI-X, AuthA, and
PAK-X are classi ed as password-veri er based proto cols[8 , 19 , 39 , 22 , 27 , 6, 10 ]. They allow
the asymmetric mo del in which a client p ossesses a password, while a server stores its veri er
rather than the password. Following A-EKE[8 ], B-SPEKE was augmented from SPEKE[18,
1
Readers are referred to Figure 8 attached in App endix of this do cument. Jablon's work[18 ] is recommended
as the b est tutorial for the password proto col study while Wu's work[39 ] is the b est for the veri er proto col
study. Bellare and Rogaway's work[3 ] is the fundamental of the provable approach. 2
19 ]. SRP showed ecientwork on a veri er and GXY was derived from SRP[39, 22]. SNAPI-
X was augmented from SNAPI while PAK-X was enhanced from PAK[27 , 10 ]. AuthA was
derived from several previous proto cols but strongly studies a provable approach[6 ]. How-
ever, even the veri er-based proto cols still allow dictionary attacks and server imp ersonation
attacks if a server le is compromised. Currently, standardization work on this eld is b eing
considered in IEEE P1363 group.
Contribution. Our goal is to design a new proto col in a provable manner, which com-
bines the following functions securely and eciently.
Password(-veri er) based authentication[8 ]
Die-Hellman based key agreement[12 ]
Easy generalization[28 ]
Password le protection
For achieving the goal, we prop ose two simple ideas called the ampli ed password pro of that
makes a user amplify her password and prove to know the ampli ed password, and the
ampli ed password le that makes a server store the ampli ed veri er for resisting a server le
compromise and a dictionary attack. From the p ointofview,we name our proto col AMP that
stands for Authentication and key agreement via Memorable Password. Regarding several
i n
functional issues, we also present ma jor variants of AMP. They are called AMP , AMP ,
n+ + ++ c
n
AMP , AMP , AMP , and AMP . Among them, AMP is actually the basic proto col
of this pap er that describ es the ampli ed password pro of idea though it is designed for
a symmetric setup. Several minor variants also can be considered but they are explained
implicitly. We compare the eciency of all veri er-based proto cols. Actually, AMP is the
most ecient proto cols among the existing veri er-based proto cols. Note that AMP will b e
designed to avoid explicit encryption/decryption at least for authentication and veri cation
though it will provide a key agreement function.
2 AMP Proto col Design
2.1 Preliminaries
AMP is typically the twoparty case so that we use Al ice and Bob for describing a clientand
a server, resp ectively. Eve indicates an adversary whether she is passive or active. and
:
denotes password and salt, resp ectively. = means a comparison of two terms, for example,
:
1
= . Let f0; 1g denote the set of nite binary strings and f0; 1g the set of in nite ones.
implies the empty string. k is our securityparameter long enough to prevent brute-forcing
2 1
l (k )
while l (k ) 2k , ! (k ) k , and t(k ) k . h() : f0; 1g !f0; 1g means a collision-free
3 3 3
one-way hash function. All hash functions are assumed to behave like random oracles for
security pro of[3]. Note we abbreviate a mo dular notation, mo d p, for convenience hereafter.
l (k )
Random Oracle. We assume random oracles h () : f0; 1g ! f0; 1g for i 2 [1; 5].
i
If Eve sends queries Q ; Q ; Q ; ::: to the random oracle h , she can receive answers h (Q ),
1 2 3 i i j
all indep endently random values, from the oracle. Let h() denote a real world hash function.
For practical recoveries of random oracles in the real world, we de ne; h (x) = h(00jxj00),
1
h (x)=h(01jxj01), h (x)=h(01jxj10), h (x)=h(10jxj10) and h (x)=h(11jxj11) by follow-
2 3 4 5
ing the constructions given in the Bellare and Rogaway's work[3 ]. j denotes the concatenation.
Numerical Assumption. Security of AMP is based on two familiar hard problems which
are b elieved infeasible to solve in p olynomial time. One is Discrete Logarithm Problem;given
x
a prime p, a generator g of a multiplicative group Z , and an element g 2 Z , nd the
p p
integer x 2 [0;p 2]. The other is Die-Hellman Problem; given a prime p, a generator g
x y xy
of a multiplicative group Z , and elements g 2 Z and g 2 Z , nd g 2 Z . These
p p p p
two problems hold their prop erties in a prime-order subgroup[30, 28 ]. We assume that all
numerical op erations of the proto col are on the cyclic group where it is hard to solve these
problems. We consider the multiplicativegroup Z and actually use its prime-order subgroup
p
Z . We should use its main op eration, a mo dular multiplication, for easy generalization. For
q
the purp ose, Bob cho oses g that generates a prime-order subgroup Z where p = qr +1. Note
q
that a prime q must be suciently large (> l (k )) to resist Pohlig-Hellman decomp osition
and various index-calculus metho ds but can b e much smaller than p[30 , 32 , 33 ]. It is easy to
(p 1)=q
. Z is preferred for eciency and for preventing make g by where generates Z
q
p
a small subgroup con nement more e ectively. By con ning all exp onentiation to the large
prime-order subgroup through g of Z , each party of the proto col is able to detect on-line
q
attack whenever a received exp onential is con ned to a small subgroup. We can use a secure
prime mo dulus p suchthat(p 1)=2q is also prime or each prime factor of (p 1)=2q is larger
than q ,orasafe prime mo dulus p such that p =2q + 1[24 ]. We strongly recommend to use a
secure prime mo dulus b ecause it allows much smaller q , e.g., closely down to l (k ).
2.2 Our Idea
Our idea is to \amplify" the lowentropy of password (1) on the well-structured cryptographic
proto col, i.e., on the secure interaction b etween communicating parties, and (2) in the well-
structured password le, b oth for securing password authentication and password le.
Definitions. Firstly we give some useful de nitions followed by our detailed idea.
De nition 1 A Password Proof de nes; a party A who knows a low entropy secret cal led a
password makes a counterpart Bconvinced that Aiswho knows the password. 4
We can consider two kinds of setup such as a symmetric setup and an asymmetric setup.
The asymmetric setup could b ene t from salt for overcoming the text-equivalence of the
symmetric setup. The password pro of is actually comp osed of two kinds of pro of.
De nition 2 ASecure PasswordProof de nes; a party A successful ly performs the Password
Proof without revealing any information about the password itself.
De nition 3 An Insecure PasswordProof de nes; a party A successful ly performs the Pass-
word Proof but fails the Secure Password Proof, or aparty Asuccessful ly performs the Pass-
word Proof by showing some or al l information about the password.
The insecure pro of can b e classi ed into the fully insecure password pro of suchasPAP(password
only), the partially insecure password pro of such as CHAP(challenge and handshake), and
the cryptographically insecure password pro of such as some cryptographic proto cols.
De nition 4 An Ampli ed Password Proof de nes; a party A who knows a password am-
pli es the password and makes a counterpart B convinced that A is who knows the ampli ed
password.
The Amplification. Our ampli cation idea is very simple, for example, Al ice insists on her
knowledge of password by giving x + mo d q rather than only, while x is the randomly-
chosen high entropy information. For the purp ose, fresh x must be securely committed by
Al ice prior to her pro of of each session. (x + is not guessable at all whereas is guessable,
if x is kept secret.)
De nition 5 The Ampli ed Password $ de nes a value that only who knows and x can
make from A( ; x) where x is chosen randomly at Z and is a human-memorable password
q
for an arbitrary ampli cation function A(). (Note: $ is rather ephemeral.)
We con gure this idea as an ampli ed password pro of.
The Amplified Password Proof. Assume that Al ice knows while Bob knows g .
The pro cedure of the ampli ed password pro of is comp osed of basically three steps such as
initial commitment, challenge, and resp onse; the initial commitment step performs a secure
commitment of x having high entropy by Al ice; the challenge step p erforms a random chal-
lenge of y by Bob;theresp onse step p erforms a knowledge pro of of Al ice ab out the ampli ed
password $ . We de ne three functions for each step; they are G () for initial commitment,
1
G () for challenge, and H () for resp onse.
2
De nition 6 The Ampli ed Password Proof performs; Al ice who knows her password ,
randomly chooses and commits the high-entropy information x to Bob. Bob who knows g ,
picks y at random and asks Al ice if she knows the password and the committed information.
Al ice responds with the fact she knows the ampli ed password $ . 5
Alice Bob
G (x)
1
initial commitment !
G (y )
2